Re: Quic: the elephant in the room

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Apr 10, 2021 at 02:08:30PM -0400, Viktor Dukhovni wrote:
> Ben's claim that CAs are "more secure" than DNSSEC is demonstrably
> in error in a world where all that CAs do is issue DV certs that
> attest to "domain control".
> 
> If you don't trust the ICANN root, you can't trust DV certs, since
> all they do is memoise some DNS-derived data you don't trust.  Indeed
> it takes DNSSEC (and CAs honouring DNSSEC-signed CAA records) to somewhat
> improve the rather weak assurance that DV provides.
> 
> Perhaps CT adequately hardens this model for Google's domains, if
> they're sufficiently vigilant to detect unauthorised certificate
> issuance (after the fact), but for the rest of us, tracking the
> CT logs is not actually practical.

Indeed, CT works only if people bother to do enough log checking to
increase the risk -real and perceived- to malefactors with access to CA
credentials.  CT can fail to get there generally, leaving us with the
same old name-constraint-less, multi-root WebPKI.

CT is not the answer, and it's not even an answer.  CT might help, and
it's better than nothing, but it's certainly not better than also
addressing the other issues, and it's not better than only addressing
the other issues either.

If QUIC were to depend on DANE, the result would be a shot in the arm to
DNSSEC deployment, which would instantly address the two biggest
problems with WebPKI.

Nico
-- 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux